This rule ensures there is no getting around the data protection act by just sending data to somewhere where it is legal to reveal it.
-
Be processed fairly and lawfully - Basically, this means that the company must:
• Tell people why, in clear language, they are processing their data.
• Tell people about any nonobvious reasons for which their data is being processed for.
It is important that it is in "clear language" because hiding important things by using complex terms is not fair. Neither is it regarded as fair to have a notice in tiny print – that is difficult to locate or read.
-
Be kept secure against loss, damage and unauthorised and unlawful processing - This principle is about having reliable security for the personal information. The main objective is to make sure personal data has suitable security. This doesn’t just mean security on computer systems (such as password protection and the positioning of screens etc.). One of the most important sides of security is making sure that companies are not giving out personal data to someone who has no right to receive it.
-
Be processed within the rights of data subjects - There are other vital privacy rights, as well as the Data Protection Act. These include the right to confidentiality. These affect how personal information can be used by companies.
-
Be obtained for specified and lawful purposes - This adds that the company must have a specific reason for processing data. Also, the data can only be processed for that purpose and no other.
-
Be adequate, relevant and not excessive for the purpose - This means that companies should collect the right amount of information for the fulfil purpose - no more and no less.
In order to check whether they are collecting too much data, they look at the data and consider which pieces of information are absolutely critical in order to enable them to do whatever it is they are trying to do. Whatever is left can't be critical, so it would be unnecessary and it therefore should be disposed of.
-
Be accurate and up-to-date - Personal data must be accurate at all times. There should be regular checks that the files are accurate and up to date.
A reason for needing to have accurate personal data is to avoid inconvenience, damage or distress. For example, in a school, if they need to contact a parent in an emergency, but do not have the correct telephone number this could result in distress for both parent and child.
-
Not be kept longer than necessary - When any personal data has served its purpose, it must be disposed of appropriately. The longer they hold personal files, the longer they will need to ensure that they are accurate. Also, the longer that information is kept after its needed, the less it becomes relevant. There are no benefits of actually keeping the data for longer than necessary.
Data Protection Act Breach
-
In April 2013, three police forces accidentally sent personal details of a 1,000 staff to a security firm. The forces could be punished under the data protection act. G4S (the security firm) said all files had been deleted, but this will come as no reassurance as they may not be trustworthy. (). A statement said the data sent went over what was required, breaching the data protection act’s principles. This is therefore a breach of the act and a criminal investigation will occur as a result – to see who is to blame before action is taken.
-
A GP's receptionist who accessed sensitive medical information about her ex-husband's new wife has admitted breaching data protection law. She was fined £750. The two medical documents she accessed were referred to as highly confidential. .
Everybody expects their doctors to be confidential but the information was accessed by someone else. The victim of this crime feels betrayed and vulnerable as someone she barely knows, knows private information about her. What has happened can’t be undone and the fine of £750 will only give a small amount of satisfaction – some will feel that the charge was rather lenient.
